Solved: Re: NAT over inside interface between 2 ASA5506

yuri.suslov · ‎11-18-2018

Dear Cisco Experts,

We have a bit unusual task - need to allow RDP access from PC outside one ASA to PC outside another ASA via inside network. See attached drawing.

For the moment I'm able to establish RDP sessions to/from test machine as shown by green arrows:

a) RDP client from 192.168.117.211 to server 172.16.8.21 by connecting as 192.168.117.1:50001

b) RDP client from 172.16.8.21 to server 10.3.117.211 by connecting as 172.16.8.201:12119

Configuration of both firewalls below

====  TA-FWL ====
!
interface GigabitEthernet1/1
 description WiMax
 nameif outside
 security-level 0
 ip address 10.3.117.1 255.255.255.0
!
interface GigabitEthernet1/2
 description PCN
 nameif inside
 security-level 100
 ip address 172.16.8.201 255.255.248.0
!

object network PC-211-3389
 host 10.3.117.211
 nat (outside,inside) static interface service tcp 3389 12119
 
route inside 195.0.0.0 255.255.255.0 172.16.8.231 1


====  SA-FWL ====
!
interface GigabitEthernet1/1
 description WiMax
 nameif outside
 security-level 0
 ip address 192.168.117.1 255.255.255.0
!
interface GigabitEthernet1/2
 description PCN
 nameif inside
 security-level 100
 ip address 195.0.0.201 255.255.255.0
!

object network PC-211-3389
 host 192.168.117.211
 nat (outside,inside) static interface service tcp 3389 12119

object network TEST-RDP
 host 172.16.8.21
 nat (inside,outside) static interface service tcp 3389 50001

access-list OUTSIDE-IN extended permit tcp any object TEST-RDP
access-group OUTSIDE-IN in interface outside

route inside 172.16.8.0 255.255.248.0 195.0.0.231 5

However when I change

object network TEST-RDP
 host 172.16.8.21
 nat (inside,outside) static interface service tcp 3389 50001

to

object network TEST-RDP
 host 172.16.8.201
 nat (inside,outside) static interface service tcp 12119 50001

RDP session could not be established.

Anything else I've missed form ASA's configuration?

Thank you in advance,

Yuri

Cezar Fistik · ‎11-25-2018

Hi Yuri,

If I understood you correctly, I think this configuration should work for what you need, assuming you don't have an access-list on inside of TA-FWL. If you do, adjust it to allow the connection. In summary, this configuration should allow host 192.168.117.211 to initiate a connection to 192.168.117.1:50002 ( I changed the port, see comment in config). At the SA-FWL, the destination address:port will be NAT'ed to 10.3.117.211:3389 and routed towards TA-FWL. TA-FWL will NAT the source IP of 192.168.117.211 to 10.3.117.1 while keeping the port intact, i.e.3389.

==== SA-FWL ====
!
interface GigabitEthernet1/1
description WiMax
nameif outside
security-level 0
ip address 192.168.117.1 255.255.255.0
!
interface GigabitEthernet1/2
description PCN
nameif inside
security-level 100
ip address 195.0.0.201 255.255.255.0
!

object network RDP-CLIENT
host 192.168.117.211
!
object network RDP-SERVER
host 10.3.117.211
nat (inside,outside) static interface service tcp 3389 50002
! Here you'll need to use a different port, since 50001 is already mapped to 172.16.8.21:3389
!
route inside 10.3.117.0 255.255.255.0 195.0.0.231 1
!
access-list OUTSIDE-IN extended permit tcp object RDP-CLIENT object RDP-SERVER eq 50002
access-group OUTSIDE-IN in interface outside

==== TA-FWL ====
!
interface GigabitEthernet1/1
description WiMax
nameif outside
security-level 0
ip address 10.3.117.1 255.255.255.0
!
interface GigabitEthernet1/2
description PCN
nameif inside
security-level 100
ip address 172.16.8.201 255.255.248.0
!

object network RDP-CLIENT
host 192.168.117.211
nat (inside,outside) static interface service tcp 3389 3389
!
route inside 192.168.117.0 255.255.255.0 172.16.8.231 1

Regards.

Cezar

View solution in original post

yuri.suslov · ‎11-19-2018

Topic moved to "Firewalls" category.

Cezar Fistik · ‎11-24-2018

Yuri,

When configuring a static NAT in the form '(outside,inside) static interface' you're translating the source IP of your outside host to the IP address of the firewall inside interface. If you want to translate it again on the other firewall, you'll need to have something like this:

object network TEST-RDP
 host 195.0.0.201 #on TA-FWL or host 172.16.8.201 on SA-FWL
 nat (inside,outside) static interface service tcp 'port' 'mapped-port'

Now the ports. Since, after first translation, your destination port is already 3389, you don't need to translate it and you can try 'service tcp 3389 3389'

Hope that helps.

Cezar Fistik · ‎11-24-2018

But generally speaking I would avoid NAT completely if possible? Can you just add a couple of persistent static routes to those hosts so that they know how to reach each other? This way you can avoid NAT completely and use regular routing for connectivity.

yuri.suslov · ‎11-25-2018

Hi Cezar,

Unfortunately we could not avoid NAT. My drawing was simplified - actually we have 50+ special devices behind TA-FWL on 10.3.117.0 network which must be accessed from main server 172.16.8.111 via single inside IP of firewall. So we used NAT port convention: 1__ip__service, i.e.

inside address 172.16.0.201:12223 mapped to outside 10.3.117.222 port 503

inside address 172.16.0.201:12238 mapped to outside 10.3.117.223 port 80

And sorry I did not understand your advice in the first reply. I will explain what I need exactly. Current firewalls configuration allows me:

Launch RDP client on 192.168.117.211 with connection to 192.168.117.1:50001 --> connected to RDP server on 172.16.8.21 port 3389

Launch RDP client on 172.16.8.21 with connection to 172.16.8.201:12119 --> connected to RDP server on 10.3.117.211 port 3389

Now I need to:

Launch RDP client on 192.168.117.211 with connection to 192.168.117.1:50001 --> connected to RDP server on 10.3.117.211 port 3389

Please advise,

Yuri

Cezar Fistik · ‎11-25-2018

Hi Yuri,

If I understood you correctly, I think this configuration should work for what you need, assuming you don't have an access-list on inside of TA-FWL. If you do, adjust it to allow the connection. In summary, this configuration should allow host 192.168.117.211 to initiate a connection to 192.168.117.1:50002 ( I changed the port, see comment in config). At the SA-FWL, the destination address:port will be NAT'ed to 10.3.117.211:3389 and routed towards TA-FWL. TA-FWL will NAT the source IP of 192.168.117.211 to 10.3.117.1 while keeping the port intact, i.e.3389.

==== SA-FWL ====
!
interface GigabitEthernet1/1
description WiMax
nameif outside
security-level 0
ip address 192.168.117.1 255.255.255.0
!
interface GigabitEthernet1/2
description PCN
nameif inside
security-level 100
ip address 195.0.0.201 255.255.255.0
!

object network RDP-CLIENT
host 192.168.117.211
!
object network RDP-SERVER
host 10.3.117.211
nat (inside,outside) static interface service tcp 3389 50002
! Here you'll need to use a different port, since 50001 is already mapped to 172.16.8.21:3389
!
route inside 10.3.117.0 255.255.255.0 195.0.0.231 1
!
access-list OUTSIDE-IN extended permit tcp object RDP-CLIENT object RDP-SERVER eq 50002
access-group OUTSIDE-IN in interface outside

==== TA-FWL ====
!
interface GigabitEthernet1/1
description WiMax
nameif outside
security-level 0
ip address 10.3.117.1 255.255.255.0
!
interface GigabitEthernet1/2
description PCN
nameif inside
security-level 100
ip address 172.16.8.201 255.255.248.0
!

object network RDP-CLIENT
host 192.168.117.211
nat (inside,outside) static interface service tcp 3389 3389
!
route inside 192.168.117.0 255.255.255.0 172.16.8.231 1

Regards.

Cezar

yuri.suslov · ‎11-26-2018

Hi Cezar,

Thanks for pointing me in right direction, I got it working now!

The problem was with missing routes to "outside" networks on both firewalls.

Cheers,

Yuri